security update for uuid xmlsitemap file_field_path
This commit is contained in:
@@ -1,5 +1,33 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* @file
|
||||
* UUID Services module functions.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Defines defaults for UUID_SERVICES_ALLOWED_MEDIA_MIMES.
|
||||
*/
|
||||
define('UUID_SERVICES_DEFAULT_ALLOWED_MEDIA_MIMES',
|
||||
'video/brightcove
|
||||
video/youtube'
|
||||
);
|
||||
|
||||
/**
|
||||
* Implements hook_menu().
|
||||
*/
|
||||
function uuid_services_menu() {
|
||||
$items['admin/config/services/uuid-services'] = array(
|
||||
'title' => 'UUID Services',
|
||||
'description' => 'Configure settings for UUID Services.',
|
||||
'access arguments' => array('administer services'),
|
||||
'page callback' => 'drupal_get_form',
|
||||
'page arguments' => array('uuid_services_settings'),
|
||||
'file' => 'uuid_services.admin.inc',
|
||||
);
|
||||
return $items;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements hook_services_resources_alter().
|
||||
*
|
||||
@@ -14,7 +42,7 @@
|
||||
*/
|
||||
function uuid_services_services_resources_alter(&$resources, &$endpoint) {
|
||||
foreach (entity_get_info() as $entity_type => $entity_info) {
|
||||
if (isset($entity_info['uuid']) && $entity_info['uuid'] == TRUE && isset($resources[$entity_type])) {
|
||||
if (isset($entity_info['uuid']) && $entity_info['uuid'] == TRUE && (isset($resources[$entity_type]) || variable_get('uuid_services_support_all_entity_types', FALSE))) {
|
||||
unset($resources[$entity_type]['operations']['create']);
|
||||
|
||||
// Alter 'retrieve' method to use UUID enabled functions and arguments.
|
||||
@@ -126,6 +154,22 @@ function _uuid_services_entity_update($entity_type, $uuid, $entity) {
|
||||
else {
|
||||
$entity = (object) $entity;
|
||||
}
|
||||
$entity->uuid_services = TRUE;
|
||||
// Check that the mime type is whitelisted.
|
||||
$valid_media_mimes = variable_get('uuid_services_allowed_media_mimes', UUID_SERVICES_DEFAULT_ALLOWED_MEDIA_MIMES);
|
||||
|
||||
// Sanitize file user input.
|
||||
if ($entity_type == 'file') {
|
||||
// We have to make sure to whitelist mime types, to avoid the video files
|
||||
// getting converted into text files, when deployed from one env to other.
|
||||
if (!in_array($entity->filemime, preg_split('/\r?\n/', $valid_media_mimes))) {
|
||||
$entity->filename = _services_file_check_name_extension($entity->filename);
|
||||
$entity->uri = _services_file_check_destination_uri($entity->uri);
|
||||
if (!empty($entity->filepath)) {
|
||||
$entity->filepath = _services_file_check_destination($entity->filepath);
|
||||
}
|
||||
}
|
||||
}
|
||||
entity_uuid_save($entity_type, $entity);
|
||||
return $entity;
|
||||
}
|
||||
@@ -142,7 +186,15 @@ function _uuid_services_entity_update($entity_type, $uuid, $entity) {
|
||||
*/
|
||||
function _uuid_services_entity_delete($entity_type, $uuid) {
|
||||
try {
|
||||
$return = entity_uuid_delete($entity_type, array($uuid));
|
||||
$uuid_exist = (bool) entity_get_id_by_uuid($entity_type, array($uuid));
|
||||
if (!$uuid_exist) {
|
||||
/* UUID not found. Don't try to delete something that doesn't exist. */
|
||||
$args = array('@uuid' => $uuid, '@type' => $entity_type);
|
||||
watchdog('uuid_services', 'UUID @uuid not found for entity type @type', $args, WATCHDOG_WARNING);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
$return = entity_uuid_delete($entity_type, array($uuid)) !== FALSE;
|
||||
return $return;
|
||||
}
|
||||
catch (Exception $exception) {
|
||||
@@ -154,14 +206,14 @@ function _uuid_services_entity_delete($entity_type, $uuid) {
|
||||
/**
|
||||
* Access callback.
|
||||
*
|
||||
* @param $op
|
||||
* @param string $op
|
||||
* The operation we are trying to do on the entity. Can only be:
|
||||
* - "view"
|
||||
* - "update"
|
||||
* - "delete"
|
||||
* See 'uuid_services_services_resources_alter()' for an explanation why
|
||||
* 'create' is missing.
|
||||
* @param $args
|
||||
* @param array $args
|
||||
* The arguments passed to the method. The keys are holding the following:
|
||||
* 0. <entity_type>
|
||||
* 1. <uuid>
|
||||
@@ -182,7 +234,7 @@ function _uuid_services_entity_access($op, $args) {
|
||||
entity_make_entity_local($entity_type, $entity);
|
||||
}
|
||||
// Fetch the local entity if we've got an id.
|
||||
elseif (!empty($entity_id)) {
|
||||
elseif (!empty($entity_ids)) {
|
||||
$entities = entity_load($entity_type, $entity_ids);
|
||||
$entity = reset($entities);
|
||||
}
|
||||
@@ -192,10 +244,9 @@ function _uuid_services_entity_access($op, $args) {
|
||||
if ($op == 'update' && empty($entity_ids)) {
|
||||
$op = 'create';
|
||||
}
|
||||
// Taxonomy and Comment module uses 'edit' instead of 'update'.
|
||||
// Oh, how I love Drupal consistency.
|
||||
if (($entity_type == 'taxonomy_term' || $entity_type == 'comment') && $op == 'update') {
|
||||
$op = 'edit';
|
||||
// If the user doesn't exist return 406 like services does.
|
||||
if (($entity_type == 'user' && empty($entity) && $op == 'view')) {
|
||||
return services_error(t('There is no user with UUID @uuid.', array('@uuid' => $args[1])), 406);;
|
||||
}
|
||||
// The following code is taken from entity_access() with some extra logic
|
||||
// to handle the case where an entity type is not defining an access
|
||||
@@ -211,18 +262,3 @@ function _uuid_services_entity_access($op, $args) {
|
||||
return services_error($exception, 406, $entity_type);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements hook_services_resources().
|
||||
*/
|
||||
function uuid_services_services_resources() {
|
||||
module_load_include('inc', 'uuid_services', 'resources/field_collection.resource');
|
||||
|
||||
$resources = array(
|
||||
'#api_version' => 3002,
|
||||
);
|
||||
|
||||
$resources += _field_collection_resource_definition();
|
||||
|
||||
return $resources;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user